heroku:spring只能通过https访问端点 [英] heroku : spring boot acces to endpoints with https only
问题描述
Iam使用
compile(org.springframework.boot:spring-boot-starter-security)
用于加密工具(散列密码)。我已经将security.basic.enable属性设置为false(实际上不知道它是否在这种情况下很重要)。
尝试设置这些设置:
tomcat:
remote_ip_header:x-forwarded-for
protocol_header:x -forwarded-proto
在我的application.yml中
是,我如何才能实际强制端点只能通过https链接使用?对于http,它可能会返回404或其他东西。我使用gradle,它很难找到任何使用它的参考。尝试了谷歌发现的一些事情,但它没有奏效(或者我不知道如何正确实施它们......)。我仍然可以通过邮递员通过http访问我的端点。
现在看起来像这样:
@Controller
@RequestMapping(/ users)
public class AccountController {
@Autowired
private AccountRepository accountDao;
$ b @RequestMapping(value =/ register,method = RequestMethod.POST,consumes =application / json)
public ResponseEntity< Resource< Account>> createAccount(@RequestBody @Valid Account account){...}
其实我已经找到了一个解决方案(最后)在这个repo https://github.com / fenrirx22 / springmvc-https-enforcer 。
创建2个类:
@Configuration
public class ApiConfig {
@Bean
public Filter httpsEnforcerFilter(){
return new HttpsEnforcer();
$ / code $ / pre
$ b $ p
public class HttpsEnforcer实现Filter {
private FilterConfig filterConfig;
public static final String X_FORWARDED_PROTO =x-forwarded-proto;
@Override
public void init(FilterConfig filterConfig)throws ServletException {
this.filterConfig = filterConfig;
$ b @Override
public void doFilter(ServletRequest servletRequest,ServletResponse servletResponse,FilterChain filterChain)throws IOException,ServletException {
HttpServletRequest request =(HttpServletRequest )servletRequest;
HttpServletResponse响应=(HttpServletResponse)servletResponse;
if(request.getHeader(X_FORWARDED_PROTO)!= null){
if(request.getHeader(X_FORWARDED_PROTO).indexOf(https)!= 0){
response .sendRedirect(https://+ request.getServerName()+ request.getPathInfo());
return;
}
}
filterChain.doFilter(request,response);
}
@Override
public void destroy(){
// nothing
}
}
像一个魅力。
I have a Spring Boot java app deployed on heroku. I want to be sure that my registration endpoint can be only accessed by https. So far I've known, heroku uses load balancer which redirect every https connection to http with a special header (X-forwarded-porto).
Iam using
compile("org.springframework.boot:spring-boot-starter-security")
for encryption tools (hashing password). I've set the "security.basic.enable" properties to false (actually don't know if it matters in that case.).
Tried already setting these settings :
tomcat:
remote_ip_header: x-forwarded-for
protocol_header: x-forwarded-proto
in my application.yml
The question is, how i can actually enforce endpoint to be used only via https link? For http it could return 404 or something. I am using gradle and its kinda hard to find any refference using it. Tried a couple of things found in google but it didn't work ( or I don't know how to implement them correctly...). I've still could access my endpoint via http with postman.
Right now it looks like this:
@Controller
@RequestMapping("/users")
public class AccountController {
@Autowired
private AccountRepository accountDao;
@RequestMapping(value = "/register", method = RequestMethod.POST, consumes = "application/json")
public ResponseEntity<Resource<Account>> createAccount(@RequestBody @Valid Account account) { ... }
解决方案 Actually I've found a solution ( finally ) in this repo https://github.com/fenrirx22/springmvc-https-enforcer.
Created 2 classes:
@Configuration
public class ApiConfig {
@Bean
public Filter httpsEnforcerFilter(){
return new HttpsEnforcer();
}
}
and:
public class HttpsEnforcer implements Filter {
private FilterConfig filterConfig;
public static final String X_FORWARDED_PROTO = "x-forwarded-proto";
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
if (request.getHeader(X_FORWARDED_PROTO) != null) {
if (request.getHeader(X_FORWARDED_PROTO).indexOf("https") != 0) {
response.sendRedirect("https://" + request.getServerName() + request.getPathInfo());
return;
}
}
filterChain.doFilter(request, response);
}
@Override
public void destroy() {
// nothing
}
}
Works like a charm.
这篇关于heroku:spring只能通过https访问端点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!